Snooping bosses

Media speculation that employers can no longer monitor their employees’ communications is misleading and unhelpful, writes Siân McKinley

In September 2017, when the Grand Chamber of the European Court of Human Rights (ECtHR) released its judgment in Barbulescu v Romania (App No. 61496/08), some newspapers reported this as a landmark ruling which ‘heralds the end of snooping bosses spying on workers’ emails and instant chats’ (see, for example, The Telegraph, 5 September 2017: bit.ly/2yKa2fE). The British press was previously accused of whipping up a ‘misinformed media storm’ by printing ‘inaccurate scare stories’ over the earlier decision of the Chamber in January 2016. This ‘new benchmark’ of careless reporting prompted the ECtHR to issue a statement explaining its role.

This case is an important ruling for privacy in the workplace, but not for the reason the press claims. Media speculation that employers can no longer monitor the communications of their employees is misleading and unhelpful. As is so commonly the case, the real picture is much more nuanced.

What is the actual position?

The case involved an instant messaging account which Mr Barbulescu created at his employer’s request. On 3 July 2007 the employer circulated an information notice which prohibited personal use of the internet and informed all employees that their work would be monitored. Shortly afterwards the employer began recording Barbulescu’s instant messaging communications. Barbulescu was already aware that personal computer use was prohibited but he did not see that his communications would be monitored until some point after the information notice had been circulated. It was not clear exactly when.

On 13 July 2007 he was told that his communications had been monitored and shown evidence that his internet activity was greater than that of his colleagues. At this stage Barbulescu claimed he had only used the instant messaging service for work-related purposes. An hour later, Barbulescu was shown 45 pages of messages of private messages he had sent. Barbulescu was dismissed and challenged his dismissal in the Romanian domestic courts. The domestic courts dismissed his claim. Before the Chamber and the Grand Chamber of the European Court, Barbulescu alleged that his telephone and email communications from this workplace were protected by his right to private life and correspondence under Art 8 of the European Convention on Human Rights.

What the court held

The Grand Chamber upheld Barbulescu’s claim and held that his Art 8 rights had been violated. When coming to this decision, the ECtHR stated that ‘an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary.’ It is most likely this comment which led to the proclamations in the press that employers will no longer have access to employees’ emails.

Legally, this is an interesting statement of principle. This is the first time the ECtHR has said there is an irreducible minimum right to private social life in the workplace.

When considering whether an individual’s Art 8 rights have been engaged, it has always been relevant, although not determinative, whether individuals had a reasonable expectation that their privacy would be respected and protected. Normally the actions of an employer inform the employee as to whether he has a reasonable expectation of privacy and shape what that expectation looks like.

Now we know, no matter what an employer does, that it can’t completely reduce the reasonable expectations of privacy. This increases the chances that employees’ Art 8 rights will be engaged. This is not the end of the road for monitoring in the workplace, however. The ECtHR also acknowledged that employers have a legitimate interest in ensuring the smooth running of the organisation and a ‘right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.’

Once Art 8 has been engaged, there must be a balance between the employee’s right to private life and the employer’s interests. The proportionality test is used to determine where the fair balance must be struck between these competing interests. The ECtHR set out what the domestic courts should look for when weighing the employee’s right to respect for his private life and correspondence against the employer’s right to engage in monitoring.

Practical steps for employers

It’s important to remember that the ECtHR did not consider whether the private employer acted correctly, but rather whether the domestic courts adequately protected the employee’s right to private life when considering his challenge against his dismissal. However, this part of the judgment is still useful for employers wishing to monitor communications. Taking the following steps will make it easier for employers to defend such measures against challenges:

Employees should be notified of the possibility that the employer might take measures to monitor correspondence and other communications, and the way in which such measures will be implemented. Notification should be clear about the nature of monitoring and given in advance. If employers wish to monitor the actual content of communications, employees must be notified in advance of this.

Employers should assess, before monitoring begins, the extent of the monitoring they wish to carry out and the degree of intrusion into the employee’s privacy. Factors they should consider include:

Whether monitoring can be limited to the flow of communications, or the content as well;

Whether all communications have to be monitored, or monitoring only some communications would suffice;

Whether monitoring can be limited in time;

Whether there can be spatial limits to monitoring (ie if CCTV monitoring is required, can it be limited to some areas?);

Whether any restrictions can be placed on the number of people who have access to the results.

Employers should identify legitimate reasons to justify monitoring the communications. If the employer wishes to monitor the content of communications, more cogent reasons are required to justify this more invasive method.

Employers should assess whether it would have been possible to establish a monitoring system based on less intrusive methods and measures. If the employer wishes to monitor the content of communications, the employer must assess whether the legitimate reasons identified above could be achieved without directly accessing the full contents.

Employers should review the use of the result of the monitoring operation, the consequences for employees and whether the results achieve the reasons identified. If the measures are challenged, domestic courts must consider the consequences of the monitoring for the employee subjected to it and weigh this against the consequences for the employer.

Impact assessment and the GDPR

The Information Commissioner’s Office already recommends that, before any monitoring is carried out, an impact assessment is conducted. This impact assessment should take a very similar form to the guidance set out above. Employers should identify the purpose of the monitoring, its benefit, the adverse impact on the employees and whether there are less invasive means of achieving the employer’s aim (Employment Practices Code, 2011).

Under the General Data Protection Regulation (GDPR), which comes into force from May 2018, organisations must carry out an impact assessment if they wish to carry out a type of processing which is likely to result in a high risk to the rights and freedoms of individuals.

An impact assessment is required if the data controller intends to carry out systemic monitoring of a publicly accessible area on a large scale. There is no guidance on this provision but it could conceivably include monitoring of a telephone system used both by employees and the public (eg in a call centre or workplace in professional services or local authority). An impact assessment is also required if a type of processing would use new technology. It is possible that monitoring of employees’ communications would fall within this category.

The impact assessment under Art 35 of the GDPR requires the controller to carry out many of the same acts identified by the ECtHR in Barbulescu and by the ICO in the Employment Practices Code 2011.

Expectations of employers

So, although the guidance produced by the ECtHR appears onerous for employers, it is largely in line with what is already expected of employers and what will be required of businesses in certain circumstances from May 2018. The main difference is the suggestion by the ECtHR that employers must not be able to access the actual content of the communications concerned unless employees have been notified in advance that this may happen. Under the Employment Practices Code 2011, the ICO recommended workers should be aware of the nature, extent and reasons for any monitoring, but did accept that in exceptional circumstances covert monitoring could be justified. The ECtHR in its judgment does not mention this as a possibility.

The GDPR requires controllers, where appropriate, to seek the views of data subjects or their representatives on the processing (eg the monitoring). However, Art 35(9) states this would not be appropriate if it would prejudice the protection of commercial or public interests or the security of processing operations. This appears to preserve the ability of businesses to carry out covert monitoring in exceptional circumstance. As previously stated, the GDPR will be part of domestic law from next year. It is worth remembering that, in the UK, the Human Rights Act 1998 requires judges to take the decisions of the ECtHR into account, but there is no obligation to follow them.

Balancing act

It is therefore not the case that employers cannot monitor their employees’ communications, as the British press suggested. On the contrary, the ECtHR recognised businesses have a qualified right to engage in monitoring. The most important point for employers is to be aware that there needs to be a case-by-case balancing act. Monitoring which invades employees’ privacy to a greater degree will require stronger arguments in justification and, in most cases, a greater degree of warning.

Snooping bosses

In September 2017, when the Grand Chamber of the European Court of Human Rights (ECtHR) released its judgment in Barbulescu v Romania (App No. 61496/08), some newspapers reported this as a landmark ruling which ‘heralds the end of snooping bosses spying on workers’ emails and instant chats’ (see, for example, The Telegraph, 5 September 2017: bit.ly/2yKa2fE). The British press was previously accused of whipping up a ‘misinformed media storm’ by printing ‘inaccurate scare stories’ over the earlier decision of the Chamber in January 2016. This ‘new benchmark’ of careless reporting prompted the ECtHR to issue a statement explaining its role.

This case is an important ruling for privacy in the workplace, but not for the reason the press claims. Media speculation that employers can no longer monitor the communications of their employees is misleading and unhelpful. As is so commonly the case, the real picture is much more nuanced.

What is the actual position?

The case involved an instant messaging account which Mr Barbulescu created at his employer’s request. On 3 July 2007 the employer circulated an information notice which prohibited personal use of the internet and informed all employees that their work would be monitored. Shortly afterwards the employer began recording Barbulescu’s instant messaging communications. Barbulescu was already aware that personal computer use was prohibited but he did not see that his communications would be monitored until some point after the information notice had been circulated. It was not clear exactly when.

On 13 July 2007 he was told that his communications had been monitored and shown evidence that his internet activity was greater than that of his colleagues. At this stage Barbulescu claimed he had only used the instant messaging service for work-related purposes. An hour later, Barbulescu was shown 45 pages of messages of private messages he had sent. Barbulescu was dismissed and challenged his dismissal in the Romanian domestic courts. The domestic courts dismissed his claim. Before the Chamber and the Grand Chamber of the European Court, Barbulescu alleged that his telephone and email communications from this workplace were protected by his right to private life and correspondence under Art 8 of the European Convention on Human Rights.

What the court held

The Grand Chamber upheld Barbulescu’s claim and held that his Art 8 rights had been violated. When coming to this decision, the ECtHR stated that ‘an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary.’ It is most likely this comment which led to the proclamations in the press that employers will no longer have access to employees’ emails.

Legally, this is an interesting statement of principle. This is the first time the ECtHR has said there is an irreducible minimum right to private social life in the workplace.

When considering whether an individual’s Art 8 rights have been engaged, it has always been relevant, although not determinative, whether individuals had a reasonable expectation that their privacy would be respected and protected. Normally the actions of an employer inform the employee as to whether he has a reasonable expectation of privacy and shape what that expectation looks like.

Now we know, no matter what an employer does, that it can’t completely reduce the reasonable expectations of privacy. This increases the chances that employees’ Art 8 rights will be engaged. This is not the end of the road for monitoring in the workplace, however. The ECtHR also acknowledged that employers have a legitimate interest in ensuring the smooth running of the organisation and a ‘right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.’

Once Art 8 has been engaged, there must be a balance between the employee’s right to private life and the employer’s interests. The proportionality test is used to determine where the fair balance must be struck between these competing interests. The ECtHR set out what the domestic courts should look for when weighing the employee’s right to respect for his private life and correspondence against the employer’s right to engage in monitoring.

Practical steps for employers

It’s important to remember that the ECtHR did not consider whether the private employer acted correctly, but rather whether the domestic courts adequately protected the employee’s right to private life when considering his challenge against his dismissal. However, this part of the judgment is still useful for employers wishing to monitor communications. Taking the following steps will make it easier for employers to defend such measures against challenges:

Employees should be notified of the possibility that the employer might take measures to monitor correspondence and other communications, and the way in which such measures will be implemented. Notification should be clear about the nature of monitoring and given in advance. If employers wish to monitor the actual content of communications, employees must be notified in advance of this.

Employers should assess, before monitoring begins, the extent of the monitoring they wish to carry out and the degree of intrusion into the employee’s privacy. Factors they should consider include:

Whether monitoring can be limited to the flow of communications, or the content as well;

Whether all communications have to be monitored, or monitoring only some communications would suffice;

Whether monitoring can be limited in time;

Whether there can be spatial limits to monitoring (ie if CCTV monitoring is required, can it be limited to some areas?);

Whether any restrictions can be placed on the number of people who have access to the results.

Employers should identify legitimate reasons to justify monitoring the communications. If the employer wishes to monitor the content of communications, more cogent reasons are required to justify this more invasive method.

Employers should assess whether it would have been possible to establish a monitoring system based on less intrusive methods and measures. If the employer wishes to monitor the content of communications, the employer must assess whether the legitimate reasons identified above could be achieved without directly accessing the full contents.

Employers should review the use of the result of the monitoring operation, the consequences for employees and whether the results achieve the reasons identified. If the measures are challenged, domestic courts must consider the consequences of the monitoring for the employee subjected to it and weigh this against the consequences for the employer.

Impact assessment and the GDPR

The Information Commissioner’s Office already recommends that, before any monitoring is carried out, an impact assessment is conducted. This impact assessment should take a very similar form to the guidance set out above. Employers should identify the purpose of the monitoring, its benefit, the adverse impact on the employees and whether there are less invasive means of achieving the employer’s aim (Employment Practices Code, 2011).

Under the General Data Protection Regulation (GDPR), which comes into force from May 2018, organisations must carry out an impact assessment if they wish to carry out a type of processing which is likely to result in a high risk to the rights and freedoms of individuals.

An impact assessment is required if the data controller intends to carry out systemic monitoring of a publicly accessible area on a large scale. There is no guidance on this provision but it could conceivably include monitoring of a telephone system used both by employees and the public (eg in a call centre or workplace in professional services or local authority). An impact assessment is also required if a type of processing would use new technology. It is possible that monitoring of employees’ communications would fall within this category.

The impact assessment under Art 35 of the GDPR requires the controller to carry out many of the same acts identified by the ECtHR in Barbulescu and by the ICO in the Employment Practices Code 2011.

Expectations of employers

So, although the guidance produced by the ECtHR appears onerous for employers, it is largely in line with what is already expected of employers and what will be required of businesses in certain circumstances from May 2018. The main difference is the suggestion by the ECtHR that employers must not be able to access the actual content of the communications concerned unless employees have been notified in advance that this may happen. Under the Employment Practices Code 2011, the ICO recommended workers should be aware of the nature, extent and reasons for any monitoring, but did accept that in exceptional circumstances covert monitoring could be justified. The ECtHR in its judgment does not mention this as a possibility.

The GDPR requires controllers, where appropriate, to seek the views of data subjects or their representatives on the processing (eg the monitoring). However, Art 35(9) states this would not be appropriate if it would prejudice the protection of commercial or public interests or the security of processing operations. This appears to preserve the ability of businesses to carry out covert monitoring in exceptional circumstance. As previously stated, the GDPR will be part of domestic law from next year. It is worth remembering that, in the UK, the Human Rights Act 1998 requires judges to take the decisions of the ECtHR into account, but there is no obligation to follow them.

Balancing act

It is therefore not the case that employers cannot monitor their employees’ communications, as the British press suggested. On the contrary, the ECtHR recognised businesses have a qualified right to engage in monitoring. The most important point for employers is to be aware that there needs to be a case-by-case balancing act. Monitoring which invades employees’ privacy to a greater degree will require stronger arguments in justification and, in most cases, a greater degree of warning.